This might also interest you...

Morrisons held liable in data leak trial involving thousands of employees

13 Dec 2017

Morrisons has been found liable for the actions of a former member of its staff who stole the data of thousands of employees and posted it online.


Workers brought a claim against the company after employee Andrew Skelton, former senior internal auditor at the supermarket’s’ Bradford headquarters, stole the data of nearly 100,000 staff. The former employee then posted this payroll information including; salary, bank details, National Insurance details, addresses and phone numbers, on the internet.


Skelton was jailed for eight years in 2015 after being found guilty at Bradford Crown Court of fraud, securing unauthorised access to computer material and disclosing personal data.


Lawyers said the data theft meant 5,518 former and current employees were exposed to the risk of identity theft and potential financial loss and that the company was responsible for breaches of privacy, confidence and data protection laws.


A Landmark Decision


On 1st Decemeber, the data leak trial came to a conclusion. The High Court found Morrisons accountable for the actions of former employee, Andrew Skelton. The judge, Mr Justice Langstaff, ruled that Morrisons was “vicariously liable” for the leak of its employees’ information.


The High Court ruling now allows those affected to claim compensation for the "upset and distress" caused.


The solicitor representing the 5,518 claimants stated that;


“We welcome the judgment and believe that it is a landmark decision, being the first data leak class action in the UK. Data breaches are not a trivial or inconsequential matter. They have real victims. At its heart, the law is not about protecting data or information – it is about protecting people.”


Morrisons, which denies liability, has said it will appeal the decision.


Commenting on the recent decision, David Gibson of Short Richardson & Forth explains;


“Employers should ensure that the contracts of employment and data protection policies clearly state that such practices could result in disciplinary sanction-including dismissal and criminal prosecution. Employers should undertake spot checks to make sure that all workers understand and are compliant with regard to not misusing information. This includes misuse of information via social media platforms.”


If you are an employer and would like advice on your duties with regard to data protection laws including the upcoming GDPR, please contact David Gibson at or telephone 0191 232 0283.

Share on Facebook
Share on Twitter
Please reload

Please reload

  • FB
  • Twitter
  • LinkedIn
  • Youtube

Short Richardson & Forth, 4 Mosley Street, Newcastle upon Tyne, NE1 1DE

Tel: +44 (0)191 232 0283  ·  Email:


Short Richardson and Forth Solicitors Limited is a private limited company registered in England and Wales under company number 10572065, authorised and regulated by the Solicitors Regulation Authority No 637150.

Short Richardson and Forth Solicitors Limited is a private limited company constituted and run in accordance with the provisions of the Companies Act 2006. The term “partner” has been used to denote individual senior solicitors employed by Short Richardson and Forth Solicitors Limited.